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Abstract 



The Discrete Logarithm Problem is well-known among cryptographers, for its computational hardness that 
grants security to some of the most commonly used cryptosystems these days. Still, many of these are limited to 
a small number of candidate algebraic structures which permit implementing the algorithms. In order to extend 
the applicability of discrete-logarithm-based cryptosystems to a much richer class of algebraic structures, we 
present a generalized form of exponential function. Our extension relaxes some assumptions on the exponent, 
which is no longer required to be an integer. Using an axiomatic characterization of the exponential function, 
we show how to construct mappings that obey the same rules as exponentials, but can raise vectors to the power 
of other vectors in an algebraically sound manner. At the same time, computational hardness is not affected (in 
fact, the problem could possibly be strengthened). Setting up standard cryptosystems in terms of our generalized 
exponential function is simple and requires no change to the existing security proofs. This opens the field for 
building much more general schemes than the ones known so far. 

1 Introduction 

Many cryptosystems are proven to be secure under a particular computational assumption, such as RSA [33] for 
instance, resting its security on the difficulty of the Factoring Problem. Many others, such as ElGamal [13. 14], 
are based on the Discrete Logarithm Problem ||27ll and other related problems on which the focus of this paper lies. 
Henceforth, we consider a group G q of prime order q, for simplicity. Therein, the Discrete Logarithm Problem 
(DLP) is the following: given y,g G G q , g ^ 1, and q, find x 6 Z q , such that y = g x . The integer x is called 
the discrete logarithm of y to the base g, here denoted as dlog g (y). The problem of constructing g XlX2 solely from 
(g xi , g X2 ) is known as the Diffie-Hellman Problem (DHP) lfl2l . To decide, whether a given triple (yi, y2> 2/3) £ 
is of the form (g Xl , g X2 , g XlX2 ) is known as the Decision Diffie-Hellman Problem (DDP) |2). Obviously, solving 
the DLP gives trivial solutions to the DHP and the DDP, respectively. Similarly, solving the DHP leads to an 
efficient solution of the DDP. The inverse directions are less obvious. The DLP and the DHP have been shown 
to be computationally equivalent for groups whose order is free of multiple large prime factors |[25l |23l . This is 
the case for G q , since q is prime. In contrast to that, the computationally equivalence between the DHP and the 
DDP has only shown to hold for groups whose order only consists of small primes factors [24]. In contrast, the 
computationally equivalence between the DHP and DDP for G q , q prime, has not been shown yet. 
Several cryptosystems are based on Discrete Logarithm Problems. The ElGamal encryption scheme, for instance, 
is semantically secure under the assumption that solving the DHP is hard. Moreover, under the assumption that 
the DDP is hard, it is guaranteed that upon two given ciphertexts, it is not efficiently possible to decide, if both 
contain the same plaintext. Unfortunately, the ElGamal encryption scheme is insecure against chosen ciphertext 



1 



attacks ll39l . The Cramer-Shoup encryption scheme EQU overcomes this drawback, while resting its security on 
the DDR Besides encryption schemes, the DLP can be found in several signature schemes, such as in ElGamal's 
[ 13 ] or Schnorr's [35 ], or in the Digital Signature Algorithm |[29l . Interactive proofs of knowledge LI J (in particular 
S-proofs Q), commitment schemes @l[8l|TTl, verifiable encryption [40], verifiable secret sharing |[T5l,[30l[T6ll . and 
secure multi-party computation [17 ] belong to advanced cryptographic techniques, that are often based on Discrete 
Logarithm Problems. Especially the DDP finds wide attraction in applications where privacy plays an important 
role, such as in voting schemes [6] or anonymous credential systems O. 

Recently, we managed to generalize the standard exponential function on a group G q to a pendant that takes pairs 
in the base and the exponent, rather than scalars. This function shares the basic properties of exponential functions, 
and allows us to call it "exponentiation". Because all four input-elements are uniformly included (we call this 
property "fusion") for the computation of the output, we call this kind of exponential function "Fusion Exponential 
Function" (see end of Section 1431 for a discussion of the fusion-property). The latter also avoids confusion with 
ordinary exponentiation. The Fusion DLP (FDLP), the Fusion DHP (FDHP) and the Fusion DDP (FDDP) are 
defined in the usual way. Our prelimiary results can be found in ll34l . 

In this paper we sketch the results of P4l in a more constructive way and generalize the Fusion Exponential 
Function such that it works with n-tuples of elements of G q in the basis and n-tuples of elements of Z q in the 
exponent, for n not being restricted to n = 2 as it is the case in |[34l . We also show that the basic properties are still 
common with ordinary exponentiation and that the latter is a special case of the Generalized Fusion Exponential 
Function, i.e. it also holds for n = 1. Afterwards, we define the FDLP, FDHP and FDDP in the generalized 
setting and show security relations between the Discrete Logarithm Problems in the ordinary and the fusion setting. 
Finally, applications and possible security benefits are discussed. 



2 Exponentiation in a Group of prime Order 

2.1 Basic Properties 

As is well known, g x is defined as the x-fold product of g with itself. For all g, h G G q and x, y G Z q we have the 
following properties: 

(g x ) y = g xy (i) 
g x+y = g x g y (2) 

{ghf = g x h x (3) 

Furthermore, g° = 1 and g~ x = (g x )~ 1 . The properties stated above are fundamental for realizing discrete- 
logarithm-based cryptosystems. 

Remark 1. Property (0 is redundant, as being consequence of (O and Q and the fact that h can be written as g w , 
for «i gZ, and g G G q \ {1}, i.e. 

[ghf = (gg w ) x 1 {g 1+w f S g( 1+w > = g x+wx 1 g x g wx i g x (g w f = g x h x . 



2.2 Computing Discrete Logarithms 

Computing y = g x , for a given g G G q and x G Z g , can be done efficiently. For instance, the Square-and-Multiply 
l28l algorithm requires only 0(logq) group operations. However, no efficient generic algorithm for solving the 
DLP is known, except for some special cases where parameters are chosen in a particular manner. A generic 
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algorithm does not exploit any specific properties of the objects to which it is applied [38 ]. It works on any group, 
where each element can be encoded as a binary string and group operations can be considered as a black-box. 
One of the best known generic attack algorithms are Pollard's rho algorithm ||32| and Shank's Baby-Step-Giant- 
Step algorithm 11371 . having an exponential running time, lying in 0{y/q) and 0{y/q\ogq), respectively. Due to 
their computational complexity they are also called generic square-root attacks fiTTl . If the order of the group is 
a composite n, then the best attack known to date is the Pohlig-Hellman algorithm [31], computing x in 0(y/r) 
steps, where r is the largest prime factor of n. 

For a chosen group, an algorithm may exist that takes advantage of some special properties of the group. Such an 
algorithm is not generic since it is not applicable to any group structure. For instance, if G q is a subgroup of Z* 
where p is a prime, the Index-Calculus algorithm ll28ll can compute x in sub-exponential computing time, being 
more efficient than a generic square-root-attack. However, this algorithm cannot be applied to G q being a subgroup 
of an elliptic curve group over a Finite Field, for instance. So far, no algorithm is known that computes elliptic 
curve discrete logarithms faster than in 0{y/q) steps. 

3 Basic Fusion Exponential Function 

In the. fusion-setting, as introduced in ll34l . exponents are defined as pairs of integers in Z g . It is convenient to have 
the exponents of the extended exponentiation coming from a field (in fact a commutative ring with 1 would suffice, 
but a field gives rise to a wider class of applications), while in the basis a group is most likely sufficient. A natural 
choice for the source of the exponents is thus a field of order p = q 2 , which is easily constructed by choosing 
q = 3 (mod 4), and setting ¥ p := Z q [X]/(X 2 + 1), for instance. 

Remark 2. For simplicity, we sometimes denote a pair (a, b) G H? q or (a, b) G G 2 by a sans-serif letter, say X, for 
instance. 

Let us review the derivation of the basic Fusion Exponential Function, as given in (34 Q. This idea will later 
be amended to yield the general scheme. To realize schemes based on the Diffie-Hellman paradigm [12], any 
exponential function candidate needs to obey property (Q~|) at least, so let us define a simple form of generalized 
exponential function, taking a pair in the exponent as 

g x = g {c ' d) :=(g c ,g d ), (4) 

where X G ¥ p , X = (c, d) and g G G q \ {1}, thus g having order q. Suppose we are given a term g x according 
to the convention (01), and we wish to find (g x ) y such that the result equals g xy , i.e. we need to calculate the latter 
term given only g x = (g c , g d ) and y = (e, /), where y G ¥ p . This is easily done by doing the multiplication in the 
exponent within ¥ p , as 

_ g(ce-df,cf+de) 

— {g ce ~ d ^,g c * +de ) 
2 (g ce g- df ,g cf g de ) 

= ((g c ) e (g d r f ,(g c ) f (g d ) e )- (5) 

Hence, we can define 

(g>7_= (g {c4) t J) i (g c ,g d ) ieJ) 

'There, referred to as Fusion-Exponentiation. 
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through © as 

(g*y:=((gy(g d )-f,(g c )f(g d y)=g*y. 

Since g is primitive, we can write any two elements a, b G G q as a = g c , b = g d for some integers c,d£ Z q . 
Substituting the powers of g in ((5]) gives 

( g y = (a%-f,afb e ), (6) 

and the Fusion Exponential Function is found by observing that by ((U), any pair (a, b) £ G q x G q =: G p can 
be written using powers of g as (g c ,g d ), such that with g x being represented by (a, 6), from Q we arrive at the 
definition 

(a,b)( e ' f) := (a e b- f ,a f b e ), 

satisfying (fl} by construction. Since G p is simply the direct product G q , it is a group with component- wise mul- 
tiplication. Having this together with ¥ p being a field, the properties © and © can be verfied instantly [ 34 ] . To 
keep computing discrete logarithms hard, it is intrinsic that exponentiation is done using a basis of large order. In 
G q , every element g ^ 1 has maximum order q. An analogous result can be shown for G p regarding the Fusion Ex- 
ponential Function: every element g / 1 can be used to generate G p using the Fusion Exponential Function, hence 
the corresponding (fusion) discrete logarithm as the inverse function is well-defined. A proof for the fusion-setting 
where ¥ p = Z q [X]/(X 2 + 1) can be found in HQ. 

The focus of the remainder of this paper lies in extending the above constructive approach from n = 2 to any 
n > 1. Thus, achieving a definition for the Generalized Fusion Exponential Function. 



4 Generalized Fusion Exponential Function 

In this section, we generalize the approach of Section [3l such that exponents are n-tuples of integers in Z g and 
bases are n-tuples of elements in G q . 

Remark 3. Again, we sometimes denote an n-tuple (xq, . . . , x n -\) G Z™ resp. (go, ... , g n -i) 6 G" by the sans- 
serif letter X resp. g. In contrast to Section [3l the components of an X are always referred to by the same letter xi 
using the standard font and the associated index i. 



4.1 Vectors in the Exponent 

Let us replace the source of exponents by the Finite Field ¥ p := 'L q [X]/(f) where / is an irreducible polynomial 
of degree n, for some integer n > 1, thus having p = q n . In order to provide a compact generalization of the 
Fusion Exponential Function, we need to consider the multiplication in ¥ p in more detail. Let X, y E ¥ p , written as 

n— 1 n— 1 

X = ^ XiX 1 and y = ^ yiX 1 

i=0 i=0 

for some coefficients X{, yi G Z 9 . Without loss of generality, assume / to be monic, and write 

/= (j2j iXi ) +xn 

for fi G Z g , i = 0, 1, . . . , n — 1, and thus obviously, 

xn= (-E^) M0D ^- (7) 
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Furthermore, the (plain) product z = xy is of degree at most 2n, and the z-th coefficient z% is given by the Cauchy- 
sum 

j, k > o 

j + k = i 

for i = 0, 1, ... , 2n. Thereby, Xj = for j > n — 1 and y^ = for k > n — 1. To find the remainder of 
z = xy = Y^=q z iX l , we can exploit the representation of X n through coefficients of / as given in CO) ll22l . This 
extends to higher orders by taking 

(n-1 \ n-1 

i=0 J i=0 

which can again be decomposed recursively to reach a representation solely via the base monomials 1, X, X 2 , . . ., 
X n ~ 1 _ Notice, that in this decomposition, only products of coefficients of / occur, which means that by rewriting 
the 2n-order polynomial z in terms of 1, X, X 2 , . . . , X n ~ l , the resulting expressions for the coefficients become 
nonlinear in each /j, but remain linear in each Xi and in each yi for alH = 0, 1, . . . , n — 1 (cf. the Cauchy sum). 
Rearranging terms by pulling Xj, for j = 0, . . . , n — 1, out of all products for the i-th coefficient of xy and denoting 
the factor associated with Xj as Ajj (y) (omitting the coefficient vector of / because it is static) we can represent 
the (modulo-reduced) product xy MOD / with coefficients z[ as 

n-1 

*£ = J>iMy) (8) 

for i = 0, 1, . . . , n— 1. Notice, that for any fixed /, Ajj : ¥ p — > Z q is a known fixed function for j = 0, 1, . . . , n— 1, 
where the linearity in each coefficient of the input is inherited, thus having 

Ai,j(x) + A^(y) = Aij(x + y) (9) 

for all x, y G ¥ p . 

Remark 4. For simplicity, we henceforth represent polynomials through the vector over their coefficients exclu- 
sively, i.e. we write either (xo, • • • , x n -i) or X instead of J27=o x iX % ■ Addition is as usual component-wise and 
for multiplication we use our adapted representation 

(n— 1 n— 1 

^2xj\ 0) j(y), . . . ,^2xjX n -i t j(y) ) . (10) 
3=0 j=0 

4.2 Construction 

Analogously to (0]) we define 

& X = ^o,..,Xn-0. = ( ff *0 ) ... i ^n-l) > (11) 



5 



where X G ¥ p , X = (xq, . . . , x n -l) and g £ G q \ {1}. In this setting we wish to calculate <? xy , for y G F p , given 
only g x = (s^ , . . . , g Xn ~ 1 ) and y = (yo, • • • , Un-l)- Carrying out the multiplication xy in F p , we find 

^xy = (*o,...,»n-i)(VD,.»,W»-i) IP ff (E™=o%-Ao,i(y),..,E"=o^^-i,i(y)) 

E» / 5 E U *jAoj (y) ; _ _ _ 5 5 E"=o ^An-u (y) 



n— 1 n— 1 



v i=o j=o 

n-1 

G} 'Hi// r v y: y |. (i2) 

3=0 j=0 



Hence, as in Section [3l we define 

(^ X )V = (g( x o,-,x-n,-i)\(,yo,-,y n -i) fg x o > _ _ _ ) ^n-i \ (!/o,->v»-i) 

through (fT2l ) as 

(n-1 n-1 \ 

n (5 x o A °' j(y) , , n (^) A - ij(y) = 5 xy . d3) 

Since we can write any element in G q as a power of the primitive element g we can set g = (go, ■ • • > 9n-i) '■= 
(g x ° , . . . , g Xn ' 1 ). Substituting the powers of g in (fT"3l) gives 

(n-1 n-1 \ 

n^ (y) y 
j=0 i=0 / 

for any g £G p and y G F p , fulfilling £T|) by construction. 

So far we used a basis that is an re-tuple of elements of G q . However, we did not yet constrain the basis elements. To 
ensure that property (f2]) holds, we need basis elements from G p , being the direct product G q . Thus, for g, h G G g , 
multiplication in G p is again component-wise 

(5o, • • • ,g n -i)(ho, hn-i) = (goho, . . .,g n -iK-i). (15) 
The generalized construction fulfills (0 by the linearity assertion ©, because for any g G G p and x,y G F p we 
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have 



(n— 1 n— 1 

n^ (x+y) ,...,n^ (x+y) 
i=o i=o 



i=0 i=0 



n— 1 n—1 



- ' n (^ (5 v o,i(y) ) n (^ {x) ^ (y) 

J=0 j=0 

(n — 1 n—1 \ / n—1 n—1 

n 9*° Ax \ n - x: n //?" ;y: .. n ^- uy) 

j=0 j=0 J \j=0 j=0 

= g g y . 

In the following examples are given for n = 1, 2, 3. For simplicity we use a matrix representation for all equations 
with respect to ([8]) in the following manner for computing z' = xy, where X, y G ¥ p : 

z' T = Ax T , where A = (My))?. =1 G ^ ( 16 ) 
Accordingly, the following examples focus on the particular contents of A. 

Example 1. Let n = 1, i.e. ¥ q = Z/qZ. Then with respect to Equation (fTBT ) we have A = (yo) which together with 
go = g x ° and Equation (1141 ), one gets 

9 y = 9o° oiy) = 9 V o° ■ 

Notice that ordinary exponentiation is hence a special case of fusion exponentiation. 
Example 2. Let n = 2, i.e. ¥ q 2 = Z q [X]/ (X 2 + 1). Then w.r.t. Equation (fT6l ) we have 



A 



yo -yi 
yi yo 



which together with gj = g x i,for i,j = 0, 1, and Equation (TT41 gives 

9 y =(g y °9l yi ,9 y 1 9f 

Example 3. Let n = 3, i.e. ¥ q 3 = Z q \X\j (X^ + X + 1), /or instance. Then w.r.t. Equation (1161 ) we have 



yo -2/2 -2/1 

A = | yi 2/0-2/2 -2/2 - 2/1 
2/2 2/1 2/0 - 2/2 



which together with gj = g x ?,for i,j = 0, 1, 2, and Equation (fT4l g/ves 
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Fusion and Mixing: The concept of fusion has yet only been intuitively introduced by requiring a dependency 
of every component in the output on every component of the input. Similar concepts in cryptography exist, as 
for example the avalanche effect calls for a similar influence on input bits on every output bit for a reasonable 
block-cipher. Here, things are slightly more involved, but the matrix structure may provide an answer on how the 
dependency relations look like. For example, if A is of diagonal shape, then this results in a mere component-wise 
exponential function (cf. Equation (flTT)). Otherwise, if the matrix is reducible, then its rows and columns can 
be permuted to reach a block-form, so that no cross-influence among blocks exist (a diagonal matrix is a trivial 
example). In the fusion exponentiation setting, this amounts to a failure of the desired mixing properties, as the 
set of input variables can be partitioned into at least two disjoint sets, with mutual influence present only within 
subsets, but not across all variables. Though a rigorous proof is yet not available, the matrix A appears to never 
have zero entries and is as such always irreducible. It would follow that the desired dependencies exist among all 
variables, with no variable enjoying exceptionally stronger influence than any other. 

4.3 Resulting Definition of Generalized Fusion Exponential Function 

Since property © is redundant (cf. Remark [TJ, we can state 

Definition 1. Let F p be a field with p = q n , for some integer n > 1, and G p be the n-fold direct product G™ , where 
G q is a group of prime order q. The Generalized Fusion Exponential Function is defined as 

(n-l n-1 \ 

II //f IK" ' * < l7 > 
j=0 j=o J 

for g G G p , X G F p and Ajj : F p — > Z q , as defined in Section |4~T1 

Remark 5. Notice that for g = (g, 1, . . . , 1) G G p and 1 = (1,0,... ,0) 6 F p (i.e. the 1-element in F p ) we have 

g = (g,l,...,l) = (g\ g ,..., g°) W g (^-V = g \ (1 8) 

4.4 Primitive Elements 

In Gg, the discrete logarithm of y G G q to the base g G G q , g ^ 1, is well defined because q is prime. Since 
= |G g |, exponentiation is bijective for exponents taken from Z q . This property is important to keep computing 
discrete logarithms hard: any element g G G q , distinct from 1, is a generator of G q . An analogous, and for 
many cryptosystems mandatory, result is that generalized fusion-exponentiation is also bijective, thus, that any 
g G Gp \ {1} can be used to generate the n-fold direct product G p = G q . However, by using the Generalized 
Fusion Exponential Function. In fact, this is true: 

Theorem 4. The Generalized Fusion Exponential Function is bijective. 

Proof. Since |G P | = |F p |, it suffices to show that the Generalized Fusion Exponential Function is injective. As- 
sume, that g b = g c for some b,C G F p and g G G p \ {1}. Through (fTTT) . g can be written as g x , for some 
g G G q \ {1}, and some vector X G F p , which, applied to g b = g c , gives (g x ) b = (g x )°- Through property (O and 
the commutativity of multiplication in ¥ p we can write (g b ) x = (<?°) x , which holds if and only if g b = g°. By the 
injectivity of exponentiation in G q this implies bi = Ci for all components i = 0, 1, . . . , n — 1 and hence b = C. □ 

A consequence of this theorem is that given y G G p and g G G p \ {1} exactly one X G F p exists, such that y = g x . 
This justifies the following definition as sound: 
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Definition 2. Let g G G p \ {1}. The Generalized Fusion Discrete Logarithm is defined as follows: 

fdlogg : G p F P) fdlog g (y)=x, s.t.y = g x (19) 

5 Fusion Discrete Logarithm Problems 

In this section the Fusion Discrete Logarithm Problems are defined. Furthermore, some relations among these 
problems and the standard setting are shown. 

Definition 3. Let ¥ p , G p and n be as used in Definition Q] and assume that they are publicly known. Furthermore, 
letgeG p \{l}. 

1. Let y = g x , where X G ¥ p . The n-Fusion Discrete Logarithm Problem (n-FDLP) is the following: given y 
and g, find x. 

2. Let y 1 = g Xl , y 2 = g X2 , where Xi,x 2 G ¥ p . The n-Fusion Diffie-Hellman Problem (n-FDHP) is the 
following: given y l5 y 2 and g, find g XlX2 . 

3. Lety x = g Xl , y 2 = g X2 , y 3 = g X3 , where Xi,x 2 ,x 3 G F p . The n-Fusion Decision Diffie-Hellman Problem 
(n-FDDP) is the following: given y 1? y 2 , y 3 and g, decide if x 3 = XiX 2 . 

trivial trivial 
DLP * DHP " DDP 
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unknown ' 
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r trivial 
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Cor|2] unknown / 

could yield benefits (cf. Section |6| 

Figure 1: Relations among (Fusion) Discrete Logarithm Problems, n > 2. 

For reductions we use the following notation from complexity theory. Let A and B be two computational problems. 
We say that A poly-time reduces to B if an algorithm can be given which, using an oracle for B as a subroutine, 
can solve A with poly-time additional costs. This is denoted as A <p B. For the cases that A <p B and B <p A 
hold, we write A =p B and say that "A and B are computationally equivalent". 

Figure [Qillustrates some relations among the Discrete Logarithm Problems in the standard and in the fusion-setting. 
Solving the n-FDLP leads to trivial solutions to the n-FDHP and the n-FDDP. Solving the n-FDHP leads to a trivial 
solution to the n-FDDP. Hence, we have an analogous result as in the standard setting. 

As mentioned in the introduction, DLP = p DHP has been shown to hold for groups whose order is free of multiple 
large prime factors |[26ll . This is the case for G q , since q is prime. Having the trivial reduction DHP <p DLP we 
state the following theorem as a reference to the results in [26]: 

Theorem 5. DLP = P DHP 

For the reductions in the fusion-setting we start with the relation between the n-FDLP and the DLP. 
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Theorem 6. For all n G N we have n-FDLP = p DLP 

Proof. For showing n-FDLP < P DLP, let y = g x , where g G G p \ {1} and X G F p . We wish to find X, given 
only y, g and an oracle solving the DLP in polynomial time. Let g = (go, . . . ,g n -i) = (g w °, ■ ■ • and 
y = (y , ■ ■ .,y n -i) = (g Zo ,-- ■ ,g Zn ~ 1 ) for some g G G q \ {1}. We obtain Wi = dlog g (c/i) and z { = dlog^y;), for 
% = 0, 1, . . . , n — 1, by using the oracle. Hence, we have 

gx m ( 5 W)X m 5 wx = g z 

and thus z = wx G ¥ p . Since w, z and ¥ p are known, one obtains X = zw _1 . Notice that w / since g / 1. 
For establishing DLP <p n-FDLP let y = g x , where g G G q \ {1} and x G Z g . We wish to find x, given only y, g 
and an oracle solving the n-FDLP in polynomial time. Let y := (y, . . . , y) G G p and g := (g, 1, . . . , 1) G G p . By 
( fT8l ), g can be written as g 1 , where 1 is the 1 -element in F p . Furthermore, through (fTTI ) y can be written as g x , for 
X := (x, . . . , x) G F p . Hence we have 

x ixG3/i\ x (ID x 

y = <? =3 = (VJ = g 

and thus X = fdlog g (y) can be obtained by the given oracle, revealing x. Assuming the oracles are efficient, the 
above reductions are efficient too. □ 

An immediate corollary is the following: 

Corollary 1. For all n,m G N \ {0}, we have n-FDLP = p m-FDLP. 

From a security-point-of-view, this means that the fusion setting is an asset in providing algebraic properties, but 
will not give increased security by hardening any underlying computational problem. We come back to this later, 
when we discuss possible applications. 
Based on Theorems [5] and [6] we can state 

Theorem 7. For all n G N we have, n-FDHP = p DHP 

Proof. Due to Theorem [5] we have DLP = p DHP and together with Theorem [6] we thus have 

DHP = P DLP = P n-FDLP > P n-FDHP. 

For the reverse direction DHP <p n-FDHP let yi = g Xi , where Xi G Z 9 , for i = 1,2. Querying an ora- 
cle for the n-FDHP with the inputs y x = (y\, 1, . . . , 1), y 2 = (y2, 1, . . . , 1) and g = (g, 1, . . . , 1) results in 
y 3 = (g x ^,l, . . . , 1), since (y 1} 1, . . . , 1) = (g, 1, . . . , l)(^A-.,o) ; ^ !,...,!) = ( 5 , 1, . . . , l)(^,o,...,o) and 
(xi, 0, . . . , 0)(x2, 0, . . . , 0) = (xiX2, 0, . . . , 0). Thus, y% is stored in the first component of y 3 . □ 

The result n-FDHP = p DHP together with DLP = p DHP and DLP = p n-FDLP gives the same relation between 
the n-FDLP and the n-FDHP as in the standard setting, summarized in 

Corollary 2. For all n G N, we have n-FDLP = p n-FDHP 

Regarding the DDP and the n-FDDP the situation is less clear. The following theorem shows the trivial reduction 
from the DDP to the n-FDDP. 

Theorem 8. For all n G N, we have DDP < P n-FDDP 
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Proof. Let m = g Xi , where Xi G 7L q , for i = 1,2, 3. Notice that (xi, 0, . . . , 0)(x2, 0, . . . , 0) = (xiX2, 0, . . . , 0). 
Hence, querying an oracle for the n-FDDP with the inputs y 1 = (yi, 1, . . . , 1), y 2 = (2/2, 1, . . . , 1), y 3 = 
(2/3, 1, . . . , 1) and g = (g, 1, 1) results in 1, iff (x 3 , 0, 0) = (xi, 0, 0)(x2, 0, 0), and other- 
wise. □ 

The reverse direction is unknown and might yield some security benefits (cf. Section©. Also it is unkown whether 
n-FDHP <p n-FDDP holds (as in the the standard setting). 

Remark 6. Notice that the bit-security is always associated to the same prime q, since the standard and the fusion- 
setting refer to the same security parameter q. Thus, the n-FDLP, regardless of how large n is, can never be harder 
than the DLP The attacks always work with running time in 0(y/q). 

6 Possible Security Benefits 

One interesting open problem is to show n-FDDP <p DDP, for n > 1 (of course n = 1 is trivial since 1-FDDP 
= DDP). Since we want to find a generic algorithm, we are only allowed to use the group operations as black- 
boxes and an oracle for solving the DDP in polynomial time. Such an orcale, however does not provide more than 
true/false-decisions. All current approaches to give an efficient reduction to the DDP end up in the necessity to 
have an oracle for solving the DHP Such an oracle, however, is not available for this (direct) reduction from the 
n-FDDP to the DDP (i.e. without solving the DHP or DLP). 

The above stated open problems yield an interesting conjecture: if the computational equivalence between the DDP 
and the n-FDDP cannot be shown for all n > 1, then the n-FDDP seems to be a stronger problem than the DDP 
(at least for one n). Thus, if the DDP is efficiently solved directly (i.e. without solving the DLP or DHP), then 
related cryptosystems like ElGamal or Cramer-Shoup will become vulnerable. However, if our conjecture remains 
unrefuted, then such cryptosystems will still remain secure within the (generalized) fusion-setting. 

7 Applications 

It is obvious that the fusion-setting is less efficient than the standard setting. With n the number of exponentiation 
in G q increase with quadratic complexity. Asides from the possible security benefits as stated in section [6] the 
following applications might be of interest: 

Verifiable Secret Sharing in ¥ q n\ Shamir's secret sharing scheme [36] is normally used for sharing secrets in 
Z g . It is secure against t < n passive adversaries. If the holder of a share sends a corrupted value during the 
reconstruction phase the result is incorrect. To counter this problem mechanisms can be included to enable all 
participants to jointly identify active malicious parties. Such sharing schemes are called Verifiable Secret Sharing. 
Many of them make use property of (fj) of exponentiation in G q such that the verification of shares can be done in 
hidden form. For the case that one wants to share a secret in ¥ q n then all such Verifiable Secret Sharing schemes 
can be transferred to the fusion-setting, since Fusion Exponentiation provides the same property and security level. 

Security Multi-Party Computation in ¥ q ™ with Active Adversaries: Secure multi-party computation over 
shared secrets in 7L q is well known lTT8l [171 IT9l . The protocols with security against passive adversaries (like it 
is the case for Shamir's secret sharing) are generic in the way that they can also be applied if secrets are shared in 
¥ q n. For protocols being secure against active adversaries, verifiable secret sharings schemes as the ones mentioned 
above are often used. Using Fusion Exponentiation again yields the benefit that security multi-party computation 
over F g n with respect to active adversaries can be realized using the fusion-setting. 
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Threshold Cryptosystems in G q n : Clearly, DL-based cryptosystems can be realized in the fusion-setting. Due 
to the fact that verifiable secret sharing and secure multi-party computation can be used straightforwardly in ¥ q n, 
transforming DL-based threshold cryptosystem to the fusion-setting is easy. 



Signature Schemes: Apart from the well-known concept of signature, such as put forth in the first papers about 
public-key cryptography, a vast amount of more sophisticated concepts has evolved. As for instance, redactable 
signatures Ell allow for exchanging certain parts of a document without invalidating a signature. Aggregate 
signatures |3 ] permit assembly of several signatures into a single one, multisignatures ll20l are the several-person- 
pendant to a standard signature, and so on. As most of these are based on arithmetics that has been carried over to 
the fusion-setting, fusion exponentiation appears as a natural candidate for constructing signatures with modifiable 
components, or with several signatures being aggregated, yet still verifiable one by one. 



The full potential of fusion exponentiation is for sure not exhaustively described by this paper. Among the open 
problems (which may yield security benefits compared to the ordinary setting) is a formalization of the fusion 
properties (i.e. dependencies of output variables on input variables), and their connection to the structure of the 
matrix A. This one may be the key for proving a property that is known as avalanche effect in different contexts. 
Even more interesting is the potential for constructing sophisticated signature schemes, that otherwise (until now) 
rely on more complicated algebraic structures like supersingular hyperelliptic curve groups and bilinear pairings. 
Finally, the concept opens is fascinating from a purely algebraic point of view too, since it appears to be the first 
generalization of the exponential function that carries over to vectors in the exponent in finite fields. 



8 Future Work 



A Further Example-Instantiations of Fusion-Exponentiation 



Example 9. Let n = 4, i.e. ¥ q 4 = Z, q [X]/(X 4: + X + I), for instance. Then w.r.t. Equation (1161 ) we have 



( 2/0 -2/3 -V2 -2/1 \ 

yi yo - 2/3 -2/2 - 2/3 -2/1 - 2/2 

2/2 2/1 yo - 2/3 -2/2 - 2/3 

\ 2/3 2/2 2/1 2/0 - 2/3 / 



which together with gj = g x i ,for i, j = 0, . 



, 3, and Equation (1141 ) gives 



rtf — { n yo n -V3 n -yi n -yi n yi jio-vs -m-ys -yi-m n m n yi ,,2/0-2/3-2/2-2/3 n yz n yi n y\ n yo-y:i\ 
if — 1 2/Q 9i 92 93 ' 9o 9\ 92 9s > 9q 9\ 92 93 , 9q 9\ 9% 93 J • 



Example 10. Let n = 5, i.e. F q 5 = Z q [X]/(X 5 + X 2 + 1), for instance. Then w.r.t. Equation (fTBT ) we have 



( 



2/o 
2/1 
2/2 
2/3 
2/4 



-2/4 
2/0 
2/1 - 2/4 

2/2 
2/3 



-2/3 
-2/4 
2/0 - 2/3 
2/1 - 2/4 

2/2 



-2/2 

-2/3 
-2/2 - 2/4 
2/0 - 2/3 
2/1 - 2/4 



-2/1 + 2/4 \ 



A 



V 



-2/2 
2/1 - 2/3 + 2/4 
-2/4 - 2/2 
2/0-2/3 / 
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which together with gj = g Xj ,for i,j = 



, . . . , 4, and Equation (|14l) gives 





„2/3 „2/2 2/1 -J/4 WO - J/3 -J/4 - J/2 \ 
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